Wired Intelligent Edge (Campus Switching and Routing)

 View Only
last person joined: one year ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of HPE Aruba Networking switching devices, and find ways to improve security across your network.
Back to Library

DUR Not Working For MAC-Based Clients -- Event Log Shows User Role Is Invalid 

Jul 27, 2019 01:18 PM

Problem:

When switch is configured as downloaded user role with ClearPass (CPPM), in certain condition following log event may be generated.

 

W 07/11/19 00:48:53 05204 dca: Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.

 

In the above log event client MAC is 005056831001 and DUR name is TEST_DUR-3045-1.

 



Diagnostics:

When switch is configured as downloaded user role with ClearPass (CPPM), in certain condition following log event may be generated.

 

W 07/11/19 00:48:53 05204 dca: Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.

 

In the above log event client MAC is 005056831001 and DUR name is TEST_DUR-3045-1. Following is couple of debug message for mac-based which indicates similar message.

 

0000:00:48:53.15 MAC  mWebAuth:Failed to apply user role TEST_DUR-3045-1_7Z4q to macAuth client 005056831001 on port 2: user role is invalid.

0000:00:48:53.30 MAC  mWebAuth:Port: 2 MAC: 005056-831001 [58] assigned role 'TEST_DUR-3045-1_7Z4q' failed, attempting to apply initial role.

 

Following debug can be used to narrow down issue.

 

SW-1# debug destination session

SW-1# debug destination buffer

SW-1# debug security radius-server

SW-1# debug security ssl          

SW-1# debug security port-access mac-based include port <port_number>

 

Following is the output of SSL debug message -

 

0000:00:48:51.28 SSL  mcppmTask:handleClientHandshakeMessages() returns status =

0000:00:48:51.37 SSL  mcppmTask:-1

0000:00:48:51.41 SSL  mcppmTask:SSL_SOCK_receive() returns status =

0000:00:48:51.48 SSL  mcppmTask:-1

0000:00:48:51.52 SSL  mcppmTask:SSL:doProtocol() returns status =

0000:00:48:51.59 SSL  mcppmTask:-1

0000:00:48:51.63 SSL  mcppmTask:SSL_negotiateConnection() returns status =

0000:00:48:51.71 SSL  mcppmTask:-1

0000:00:48:51.74 SSL  mcppmTask:SSL_closeConnection() from AppType:

0000:00:48:51.82 SSL  mcppmTask:4

 

Above messages of SSL debug suggests TLS handshake between switch and radius-server (CPPM) didn't happened. This can be because of missing root certificate in switch.

 

 



Solution

Extract root certificate from CPPM HTTPS Certificate and install it on switch.

 

---------------Install Root Certificate---------------

 

SW-1(config)# crypto pki ta-profile CPPM.                       //crypto pki ta-profile <profile-name>

SW-1#copy tftp ta-certificate CPPM 192.168.1.15         //copy tftp ta-certificate <profile-name> <TFTP-Server-IP-ADDR>

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.